There's more cargo cultism in security than pretty much any other field of CS/IT that I am aware of. "Best practices" are cargo culted with zero understanding as to why they exist.
"If firewall equals secure, then MOAR firewall equals more secure!"
Blocking ICMP, of course, makes the firewall more firewally.
I try to explain that (a) firewalls are practically useless alone since most threat vectors today are "pulled" not "pushed," and (b) things need to actually work... but nope.
Unfortunately in security black hats tend to be more skilled than (most) white hats. Really good security people are some of the most knowledgeable people I've met, but there don't seem to be many of them. They also tend to be terrible salespeople (like most techies), so the bad checkbox-ticking "security firms" are the ones who get enterprise contracts.
"If firewall equals secure, then MOAR firewall equals more secure!"
Blocking ICMP, of course, makes the firewall more firewally.
I try to explain that (a) firewalls are practically useless alone since most threat vectors today are "pulled" not "pushed," and (b) things need to actually work... but nope.
Unfortunately in security black hats tend to be more skilled than (most) white hats. Really good security people are some of the most knowledgeable people I've met, but there don't seem to be many of them. They also tend to be terrible salespeople (like most techies), so the bad checkbox-ticking "security firms" are the ones who get enterprise contracts.